The purpose of this chapter (believe it or not) wasn't to badmouth HIDSes, but rather to demonstrate what you can achieve by combining the techniques described throughout this book. Just for fun, here is another example.

Combine the icmp_input_hook code from Chapter 2 with portions of the execve_hook code from this chapter to create a "network trigger" capable of executing a user space process, such as netcat, to spawn a backdoor root shell. Then, combine that with the process_hiding and port_hiding code from Chapter 3 to hide the root shell and connection. Include the module hiding routine from this chapter to hide the rootkit itself. And just to be safe, throw in the getdirentries_hook code for netcat.

Of course, this rootkit ...